Critical WP Maps Pro Vulnerability Allow Attackers to Create Administrator Account
Cybersecurity NewsArchived Jun 02, 2026✓ Full text saved
A critical security vulnerability in the popular WP Maps Pro WordPress plugin could allow attackers to gain full control of affected websites by creating unauthorized administrator accounts. The flaw, tracked as CVE-2026-8732 with a CVSS score of 9.8, impacts all plugin versions up to 6.1.0 and has raised serious concerns across the WordPress ecosystem. WP […] The post Critical WP Maps Pro Vulnerability Allow Attackers to Create Administrator Account appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Critical WP Maps Pro Vulnerability Allow Attackers to Create Administrator Account
By Abinaya
June 2, 2026
A critical security vulnerability in the popular WP Maps Pro WordPress plugin could allow attackers to gain full control of affected websites by creating unauthorized administrator accounts.
The flaw, tracked as CVE-2026-8732 with a CVSS score of 9.8, impacts all plugin versions up to 6.1.0 and has raised serious concerns across the WordPress ecosystem.
WP Maps Pro Vulnerability
The vulnerability was discovered by security researcher David Brown and reported through the Wordfence Bug Bounty Program, earning a $1,950 reward.
WP Maps Pro, which has recorded more than 15,000 sales on CodeCanyon, is widely used to embed customizable Google Maps with advanced location features.
At the core of the issue is an unauthenticated privilege escalation flaw within the plugin’s AJAX functionality. Specifically, the vulnerable endpoint is exposed through the wpgmp_temp_access_ajax action, which is incorrectly registered to allow unauthenticated access.
Although the function includes a nonce check, the nonce is publicly accessible within the frontend JavaScript, rendering the protection ineffective.
Attackers can exploit this weakness by sending a crafted request with a parameter that triggers the plugin’s temporary access feature.
The analysis shows where Wordfence blocks exploitation attempts.(source: wordfence)
This feature was originally designed to grant support staff temporary login access but lacks proper authorization checks. As a result, the plugin automatically creates a new user with administrator privileges using built-in WordPress functions.
Once the account is created, the plugin generates a “magic login URL” that allows passwordless authentication. Visiting this URL logs the attacker in as an administrator via a session cookie, granting them unrestricted control over the website.
This includes the ability to install malicious plugins, inject backdoors, manipulate site content, or exfiltrate sensitive data.
The vendor has addressed the vulnerability in version 6.1.1 by implementing a proper capability check using current_user_can(‘manage_options’), ensuring that only authenticated administrators can access the sensitive functionality.
Wordfence acted swiftly to protect users by deploying a firewall rule on May 18, 2026, for its premium, care, and response customers.
Users of the free version are scheduled to receive the same protection on June 17, 2026. Due to the lack of direct vendor contact, the vulnerability disclosure was coordinated through Envato’s security team.
Security experts strongly urge all WP Maps Pro users to update to version 6.1.1 immediately. Websites running outdated versions remain highly vulnerable to exploitation, with attackers requiring no authentication to compromise entire systems.
This incident highlights the ongoing risks posed by improperly secured AJAX endpoints. It underscores the importance of implementing strict access controls in plugin development.
Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
Android Banking Trojan OverlayPhantom Abuses Accessibility Service to Control Devices
China-Linked Hackers Target Southeast Asian Edge Routers With Custom Linux Implant
Apple’s New Anti-Snatching Feature Will Auto-Lock iPhones When Stolen From Your Hand
Hackers Abuse AI Chatbot Recommendations to Push Malicious Software Download Links
VaultJacking Attack Steals Entire Google Password Manager Vault With One Captured PIN
Latest News
Cyber Security News
IBM WebSphere Server Vulnerable to Remote Code Execution Attack Via Crafted Request
Cyber Security News
Critical Magento Cache Plugin Vulnerability Enables Remote Code Execution Attacks
Cyber Security News
Critical MCP Toolbox Vulnerability Impacts Enterprise Database onnectors
Cyber Security News
Android Banking Trojan OverlayPhantom Abuses Accessibility Service to Control Devices
Cyber Security
Microsoft Office for the Web and Teams Hit by File Access Outage